So we can write 7 bytes to a rwx section. This already yells to put a shellcode there. But then again 7 bytes aren’t quite much for doing something useful there.

Checking the main function, we can also see, that there’s a hidden menu, when entering 31337, which calls a function, which will for one leak its own address and lets us overwrite the return address with a value smaller then itself. We can use this to return to the rwx section, where we prepared a shellcode, which then will get executed.

intleet_leak(){puts("=============================================");printf("I will give you a gift %p\n",leet_leak);read(0,&buf,0x18);// various checks...puts("Done!!");}

Adding blog entries, will create a chunk on the heap and store the address for the blog entry directly behind the blog owner in the rwx section